Bachelor thesis Computer Science Radboud University Cache Cookies: searching for hidden browser storage Author: First supervisor/assessor: Patrick Verleg Prof. dr. M.C.J.D van Eekelen s3049701 [email protected] Second assessor: Dr. ir. H.P.E. Vranken [email protected] June 26, 2014 Abstract Various ways are known to persistently store information in a browser to achieve cookie-like behaviour. These methods are collectively known as `su- per cookies'. This research looks into various super cookie methods. Atten- tion is given to the means a user has to regulate data storage and what is allowed by the cookiewet. The main goal of this research is to determine whether a browser's cache can be used to store and retrieve a user's unique identification. The results show that this is the case, and these `cache cookies' use a method so fun- damentally entangled with the cache that there is no easy way to prevent them. Because of cache cookies and other methods, the only way to prevent all tracking methods is to disable cache, history, cookies and plug-in storage. Contents 1 Introduction 2 2 Cookies for maintaining browser state 5 2.1 Storing and retrieving cookies . .5 2.1.1 Same-origin policy . .6 2.1.2 Third party cookies . .6 2.2 Protection against cookies . .7 2.2.1 Technical means . .7 2.2.2 Regulation . .8 3 Super cookies 11 3.1 Plug-in cookies . 11 3.2 HTML 5 . 14 3.3 Misusing browser features . 15 3.4 Regulation . 18 4 Research: Cache Cookies 20 4.1 Method . 20 4.1.1 Storing cache cookies . 20 4.1.2 Retrieving cache cookies . 21 4.2 Validation . 22 4.3 Comparison with other techniques . 23 4.3.1 Strong points . 23 4.3.2 Weak points . 24 4.4 Reflection . 24 4.5 Related work . 25 5 Conclusions 26 5.1 Further research . 26 A Code 32 1 Chapter 1 Introduction The internet used to be a place where web site content was provided almost exclusively by the web site owner. Over the last decade, this has changed rapidly. Web sites are no longer isolated sites on the Internet, but form a tangled web where third parties provide social integration, advertisements, web analytics and more. It's not uncommon for websites to embed a dozen of third parties [6] and that number has grown over the last years [5]. As the web evolved, so did the techniques deployed by third parties to accurately track users on different pages and between different web sites. Roughly six business models can be distinguished that depend on embedding third party content [6]: • Advertising companies combine browsing data to create elaborate user profiles used to serve ads. • Analytical services aim to give the web site owner insight in visitor behaviour. Most analytic tools depend on JavaScript informing the third party on visitor's actions. • Social integration offer integration with social media sites. Exam- ples include Facebook's like button and Twitter's tweet button. Even users who are not logged in are tracked by some social buttons [21]. • Content providers host content that is embedded in the web site, such as video, audio and news. • Frontend services host Javascript libraries in order to provide con- tent or speed up page loading. • Hosting platforms such as Akamai help content providers with dis- tribution of their content. Furthermore, law enforcement and intelligence agencies might use web track- ing to partially undo anonymization efforts [32]. For example, the United 2 States' National Security Agency has shown interest in tracking cookies for this purpose [26]. Although visitor tracking to some extent is possible in all business models mentioned above, they are of vital importance to advertising networks. For serving relevant ads, they depend on user profiling: the process of gathering information specific to each visitor in order to customize web site content [3]. These profiles contain more than the user's gender or socioeconomic status. A publicly available segmentation of advertising network Epic Mar- ketplace offered an interesting insight in to what extent users are being pro- filed [34]. Segmentations included getting pregnant and fertility, menopause and repairing bad credit. With upcoming techniques like real time bidding, advertisement net- works bid on available ad slots while a web page is loading. The amount offered for an ad slot depends on the profile of that specific visitor. For example, a higher bid can be made if the advertising network decides that a user is a better match to the product being advertised. In other words, advertisement networks that have more information can build better profiles and place a better substantiated bid. Since one of the keys to better profiling is collecting more data, advertis- ing networks are looking for more ways to identify users. Three techniques can be distinguished [6]. • Data storage depends on recognizing a user by storing uniquely iden- tifiable data on their computer and retrieving it afterwards. • Active fingerprinting depends on requesting properties from the device that is used to visit the web page. These properties include in- stalled fonts, plug ins and supported MIME-types. Also fingerprinting based on a device's accelerometer has been shown to work [28]. • Passive fingerprinting is a fingerprinting method where input con- sists of properties that need not to be requested but are always pro- vided by the visitor. These properties include IP-address, operating system and user agent. Since these properties are always sent, there is no way for a user to know whether he is fingerprinted. In this research we will focus on ways to store data on the computer of a web site visitor. This is the most reliable technique, since the data stored is chosen by the web server and therefore uniqueness can be guaranteed. In other words: it is not possible to mix-up users. Fingerprinting heuristics lack this property, but they have shown remarkable accuracy in both test and real world environments. For example, heuristics on web browsers using both Flash and Java could uniquely identify of 94% the test cases and and changes in fingerprint data (such as a changing IP address) can be matched to the old fingerprint in 99% of the cases [2]. Similar methods have also been 3 tested on Hotmail and Bing, confirming their privacy risks: 80% of the hosts could be identified by their user agent and IP address alone, yielding to a similar effectiveness as obtained with cookie usage [11]. With at least 145 of the Internet's top 10,000 sites using fingerprinting, it is more widespread than previously thought [1]. In this research, we will try to answer our main research question: What methods are known to persistently store identifiable infor- mation in a browser and can cache contents be used to introduce a new way of persistently storing such information? To answer this question, we will first consider the conventional way of stor- ing information: cookies (chapter 2). Since http is a stateless protocol [29], cookies were invented as a way to maintain browser state between consec- utive visits. Storing data on a computer with cookies are therefore the most common way to store data on a visitor's computer and thus track visitors. Users, however, demand control over their online privacy. Stud- ies on US citizens have shown that 65% of respondents found the idea of targeted advertising invasive and 54% said they did not like the idea of ad targeting [7][30]. Because tracking is such a controversial topic, we will be focussing on means the user has to protect his or her privacy throughout this research. Both technical means and legal aspects will be discussed. We will continue our research to persistent storage with non-standard storage methods. These non-standard methods are known as super cookies (chapter 3). We will look into different types of super cookies and their properties. Furthermore, we will investigate how people can regulate super cookie placement and whether European regulation is also applicable to super cookies. After investigating cookies and super cookies, we will present the main contribution of this research: a way to persistently store information in the browser's cache that can be used to uniquely identify a user (chapter 4). We will show that cache cookies provide a reliable way of identifying visitors in an advertising network scenario. Cache cookies' strong and weak points will be compared with other super cookie methods and performance and consequences will be discussed. We have implemented cache cookies in a proof of concept that works on all major browsers. The code for this proof of concept can be found in appendix A. 4 Chapter 2 Cookies for maintaining browser state When browsing the web, all information sent and received by the browser uses the http protocol [29]. Since http is a stateless protocol, an addition is needed to maintain browser state (such as the user account logged in with). Lou Montulli, working with what would later be known as Netscape Communications, added support for retaining browser state by letting web sites store small pieces of text on the visitor's computer. These became known as cookies and were added to every outgoing http request. 2.1 Storing and retrieving cookies Both http request and response messages may contain headers. Request headers can, amongst others, include preferred language, user agent and ac- cepted encoding. Response headers typically contain properties like caching directives, content type and language. When the server needs to place a cookie, it sets the Set-Cookie header with the cookie's content. For example, Wikipedia places a cookie with your estimated physical location.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages35 Page
-
File Size-